summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2011-04-06 13:18:40 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2011-04-06 13:18:40 +0000
commit91627ea8959bf9fbfc90c2468768eecbaff96ded (patch)
tree030209d11f8bef9db2eed94c5b26fc157b21c783 /sys
parent130e0762f2855e10c5c3953aa723d8fbd4c657d9 (diff)
Allow PF to filter on the rdomain a packet belongs to. This allows to
write rules like "pass in on rdomain 1". Tested by phessler@, OK henning@
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pf.c11
-rw-r--r--sys/net/pf_ioctl.c9
-rw-r--r--sys/net/pfvar.h18
3 files changed, 27 insertions, 11 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index c45a980494a..c52a9cc7ccd 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.737 2011/04/05 20:36:59 henning Exp $ */
+/* $OpenBSD: pf.c,v 1.738 2011/04/06 13:18:39 claudio Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1452,6 +1452,9 @@ pf_calc_skip_steps(struct pf_rulequeue *rules)
PF_SET_SKIP_STEPS(PF_SKIP_IFP);
if (cur->direction != prev->direction)
PF_SET_SKIP_STEPS(PF_SKIP_DIR);
+ if (cur->onrdomain != prev->onrdomain ||
+ cur->ifnot != prev->ifnot)
+ PF_SET_SKIP_STEPS(PF_SKIP_RDOM);
if (cur->af != prev->af)
PF_SET_SKIP_STEPS(PF_SKIP_AF);
if (cur->proto != prev->proto)
@@ -2801,6 +2804,9 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
r = r->skip[PF_SKIP_DIR].ptr;
+ else if (r->onrdomain >= 0 &&
+ (r->onrdomain == pd->rdomain) == r->ifnot)
+ r = r->skip[PF_SKIP_RDOM].ptr;
else if (r->af && r->af != af)
r = r->skip[PF_SKIP_AF].ptr;
else if (r->proto && r->proto != pd->proto)
@@ -3385,6 +3391,9 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
r = r->skip[PF_SKIP_DIR].ptr;
+ else if (r->onrdomain >= 0 &&
+ (r->onrdomain == pd->rdomain) == r->ifnot)
+ r = r->skip[PF_SKIP_RDOM].ptr;
else if (r->af && r->af != af)
r = r->skip[PF_SKIP_AF].ptr;
else if (r->proto && r->proto != pd->proto)
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 43062c18989..5d2f1ae51e2 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ioctl.c,v 1.237 2011/03/25 10:54:22 claudio Exp $ */
+/* $OpenBSD: pf_ioctl.c,v 1.238 2011/04/06 13:18:39 claudio Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -2517,8 +2517,13 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to,
to->os_fingerprint = from->os_fingerprint;
to->rtableid = from->rtableid;
- if (to->rtableid > 0 && !rtable_exists(to->rtableid))
+ if (to->rtableid >= 0 && !rtable_exists(to->rtableid))
return (EBUSY);
+ to->onrdomain = from->onrdomain;
+ if (to->onrdomain >= 0 && !rtable_exists(to->onrdomain))
+ return (EBUSY);
+ if (to->onrdomain >= 0) /* make sure it is a real rdomain */
+ to->onrdomain = rtable_l2(to->onrdomain);
for (i = 0; i < PFTM_MAX; i++)
to->timeout[i] = from->timeout[i];
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 4e06e8b3c60..440771cd60b 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.325 2011/04/05 13:48:18 mikeb Exp $ */
+/* $OpenBSD: pfvar.h,v 1.326 2011/04/06 13:18:39 claudio Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -543,13 +543,14 @@ struct pf_rule {
struct pf_rule_addr dst;
#define PF_SKIP_IFP 0
#define PF_SKIP_DIR 1
-#define PF_SKIP_AF 2
-#define PF_SKIP_PROTO 3
-#define PF_SKIP_SRC_ADDR 4
-#define PF_SKIP_SRC_PORT 5
-#define PF_SKIP_DST_ADDR 6
-#define PF_SKIP_DST_PORT 7
-#define PF_SKIP_COUNT 8
+#define PF_SKIP_RDOM 2
+#define PF_SKIP_AF 3
+#define PF_SKIP_PROTO 4
+#define PF_SKIP_SRC_ADDR 5
+#define PF_SKIP_SRC_PORT 6
+#define PF_SKIP_DST_ADDR 7
+#define PF_SKIP_DST_PORT 8
+#define PF_SKIP_COUNT 9
union pf_rule_ptr skip[PF_SKIP_COUNT];
#define PF_RULE_LABEL_SIZE 64
char label[PF_RULE_LABEL_SIZE];
@@ -581,6 +582,7 @@ struct pf_rule {
pf_osfp_t os_fingerprint;
int rtableid;
+ int onrdomain;
u_int32_t timeout[PFTM_MAX];
u_int32_t states_cur;
u_int32_t states_tot;